RSA 2013: Microsoft Calls For Global Push On eID Schemes

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Widespread Internet driving licenses would boost Internet security and usability massively, says Microsoft’s Scott Charney

Microsoft believes there are reasons to be optimistic about Internet security, and thinks that if governments pushed for wider use of Web identity schemes, they would help make the online world much safer.

During a keynote at RSA 2013, Scott Charney, corporate vice president of Trustworthy Computing at Microsoft, said authentication would be made much easier if it became an interaction solely between a user and their government.

Users would not have to deal with numerous parties, such as the Internet service they are attempting to interact with, if they had something akin to a driver’s license for the Web. This would make the process more efficient and could help track malicious actors and prevent them from causing further harm, Charney said.

microsoft1Microsoft optimistic

“If you take out the difficulties in the equation, you can make progress,” he said. “I’m not saying we will be able to detect all bad actors, that they won’t be able to evade it.” But it would catch the less sneaky crooks, he added.

Charney talked of the need to inculcate market drivers and government interest to ensure innovative Internet identity projects get going. “Particularly in the consumer space, it is hard to get people to appreciate they need an e-ID card when no government or merchant is asking them to produce it.”

In the UK, the government is working with a range of providers, including PayPal, to create identities for those wanting to access government services. The first pilot project will let people choose how they want to log in to access their benefit information as part of the Universal Credit system.

Charney pointed to Germany as one example, where eID cards have been rolled out in a bid to let users easily and securely carry out transactions.

Microsoft has also praised the work of the National Strategy for Trusted Identities in Cyberspace (NSTIC) initiative, which wants to see IDs given to individuals by either public or private bodies.

Jeff Jones, director for Microsoft Trustworthy Computing, told TechWeekEurope that Microsoft “recognised that a robust, interoperable identity metastructure is critical to building trust in computing”.

Microsoft has voiced support for radical changes to protect the Internet before, most notably when Charney, speaking in 2010, called for infected systems to be banned from the Internet. In this area, Microsoft appears to have diluted its rhetoric somewhat.

“In terms of dealing with infected machines, the range of options includes notifying the user, providing a partially restricted experience, blocking access or doing nothing. Each of these options could be appropriate in different scenarios depending on the risk to the user or the service,” Jones added.

“For example, out of date anti-malware signatures might trigger a simple notification but missing a critical security patch involved in current internet worm would result in a restricted experience for the use until they install the patch. We believe this should require the user and the service provider to opt-in to this model. Non-participating users and devices would not be affected.”

Charney believes the advent of cloud services should provide more reason for cheer in this respect, as the software-as-a-service model allows for automatic patching, without the need for user input.

Are you a security expert? Try our quiz!